Configuring DynamoDB VPC Endpoints with AWS CloudFormation

May 1, 2017

VPC Endpoints on Amazon Web Services (AWS) are a service that allows you to create a private connection between your VPC and a service that supports VPC endpoints without being required to traverse a NAT device, proxy server, or other similar service.

Since their launch in May 2015, VPC endpoints have only been available for connectivity to Amazon Simple Storage Service (S3) — their high performance object storage platform.

Just a few weeks ago AWS announced that VPC Endpoints for DynamoDB are now available in public preview. Of course I joined.

All of the documentation for this feature indicates using the console to activate the endpoints, but as I build my environment exclusively with CloudFormation I wanted to see if it was possible to do it here.

The answer is yes.

To get started I created a DynamoDB endpoint resource in my CloudFormation template:

The following resources are defined elsewhere in the template, so adjust to suit your environment:

VPC - The VPC resource. You could set this to an existing VPC ID.

PublicRouteTable - my public route table.

Private(0/1/2)RouteTable - my private route tables. These will be updated with a route to the endpoint.

Of course the primary benefit of a VPC endpoint is the ability to restrict what it can be used for. You could for example attach a policy document that only allows the endpoint to be used to access a specific DynamoDB table.

For example, this resource with attached policy document would restrict access only to the table “arn:aws:dynamodb:ap-southeast-2:123412341234:table/test”: